Compared to MS Threat Management Gateway 2010, analyzing log files on UTM is a chore. TMG had several advantages:
1. Unified firewall, waf and proxy logs.
2. Logs were store in a single file or an internal/external SQL database
3. The interface for analyzing log data was capable of easily creating very complex queries with point and click.
4. Logging was on by default.
5. Data was broken into columns automatically, did not require parsing a very long text string.
6. Easily exported to Excel for further analysis
I would like to see some of this implemented in UTM. Viewing text files on the Sophos is tedious and quite often results in non-responsive browser sessions.
1. A way to parse live logs with more that just one text field.
2. The ability to turn on all firewall logging without having to go through each rule. To see which rule is allowing traffic.
3. Better log parsing performance when there is a large amount of traffic.